b'      Department of Homeland Security\n\n\n\n      Information Technology Management Letter for the \n\n     Federal Emergency Management Agency Component \n\n            of the FY 2011 DHS Financial Statement \n\n                            Audit \n\n\n\n\n\nOIG-12-70                                       A pril 2012\n\x0c                                                                           Office of Inspector General\n\n                                                                           U.S. Department of Homeland\n                                                                           Security\n                                                                           Washington, DC 20528\n\n\n\n\n                                          April 5, 2012\n\n                                             Preface\n\nThe Department of Homeland Security (DHS) Office of Inspector General (OIG) was established\nby the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector\nGeneral Act of 1978. This is one of a series of audit, inspection, and special reports prepared as\npart of our oversight responsibilities to promote economy, efficiency, and effectiveness within\nthe Department.\n\nThis report presents the information technology (IT) management letter for the Federal\nEmergency Management Agency (FEMA) component of the FY 2011 DHS consolidated\nfinancial statement audit as of September 30, 2011. It contains observations and\nrecommendations related to information technology internal control weaknesses that were\nsummarized in the Independent Auditors\xe2\x80\x99 Report dated November 11, 2011, and represents the\nseparate restricted distribution report mentioned in that report. The independent accounting firm\nKPMG LLP (KPMG) performed the audit procedures at the FEMA component in support of the\nDHS FY 2011 consolidated financial statement audit and prepared this IT management letter.\nKPMG is responsible for the attached IT management letter and the conclusions expressed in it.\nWe do not express opinions on DHS\xe2\x80\x99 financial statements or internal control or conclusions on\ncompliance with laws and regulations.\n\nThe recommendations herein have been developed to the best knowledge available to our office,\nand have been discussed in draft with those responsible for implementation. We trust that this\nreport will result in more effective, efficient, and economical operations. We express our\nappreciation to all of those who contributed to the preparation of this report.\n\n\n\n\n                                             Frank Deffer\n                                             Assistant Inspector General\n                                             Office of Information Technology Audits\n\x0c                                KPMG LLP\n                                Suite 12000\n                                1801 K Street, NW\n                                Washington, DC 20006\n\nFebruary 22, 2012\n\nInspector General\nU.S. Department of Homeland Security\n\nChief Information Officer and\nChief Financial Officer\nU.S. Federal Emergency Management Agency\nWe have audited the balance sheet of the U.S. Department of Homeland Security (DHS or\nDepartment) as of September 30, 2011 and the related statement of custodial activity for the year\nthen ended (referred to herein as the \xe2\x80\x9cfiscal year (FY) 2011 financial statements\xe2\x80\x9d). The objective\nof our audit was to express an opinion on the fair presentation of these financial statements. We\nwere also engaged to examine the Department\xe2\x80\x99s internal control over financial reporting of the\nbalance sheet as of September 30, 2011, and statement of custodial activity for the year then ended,\nbased on the criteria established in Office of Management and Budget, Circular No. A-123,\nManagement\xe2\x80\x99s Responsibility for Internal Control, Appendix A. In connection with our audit, we\nalso considered DHS\xe2\x80\x99 compliance with certain provisions of applicable laws, regulations,\ncontracts, and grant agreements that could have a direct and material effect on the FY 2011\nfinancial statements.\nOur Independent Auditors\xe2\x80\x99 Report issued on November 11, 2011, describes a limitation on the\nscope of our audit that prevented us from performing all procedures necessary to express an\nunqualified opinion on DHS\xe2\x80\x99 FY 2011 financial statements and internal control over financial\nreporting. In addition, the FY 2011 DHS Secretary\xe2\x80\x99s Assurance Statement states that the\nDepartment was unable to provide assurance that internal control over financial reporting was\noperating effectively at September 30, 2011.\nA deficiency in internal control exists when the design or operation of a control does not allow\nmanagement or employees, in the normal course of performing their assigned functions, to prevent,\nor detect and correct misstatements on a timely basis. A material weakness is a deficiency, or\ncombination of deficiencies, in internal control such that there is a reasonable possibility that a\nmaterial misstatement of the entity\xe2\x80\x99s financial statements will not be prevented, or detected and\ncorrected on a timely basis. A significant deficiency is a deficiency, or a combination of\ndeficiencies, in internal control that is less severe than a material weakness, yet important enough to\nmerit attention by those charged with governance. In accordance with Government Auditing\nStandards, our Independent Auditors\xe2\x80\x99 Report, dated November 11, 2011, included internal control\ndeficiencies identified during our audit, that individually, or in aggregate, represented a material\nweakness or a significant deficiency. This letter represents the separate limited distribution report\nmentioned in that report.\nDuring our audit engagement, we noted certain matters in the areas of access controls, configuration\nmanagement, security management, contingency planning, and segregation of duties with respect to\nDHS\xe2\x80\x99 financial systems general Information Technology (IT) controls which we believe contribute\nto a DHS-level significant deficiency that is considered a material weakness in IT controls and\nfinancial system functionality. We also noted that in some cases, financial system functionality is\ninhibiting DHS\xe2\x80\x99 ability to implement and maintain internal controls, notably IT applications\ncontrols supporting financial data processing and reporting. These matters are described in the\nGeneral IT Control Findings and Recommendations section of this letter.\n\n\n                                KPMG LLP is a Delaware limited liability partnership,\n                                the U.S. member firm of KPMG International Cooperative\n                                (\xe2\x80\x9cKPMG International\xe2\x80\x9d), a Swiss entity.\n\x0cAlthough not considered to be a material weakness, we also noted certain other items during our\naudit engagement which we would like to bring to your attention. These matters are also described\nin the General IT Control Findings and Recommendations section of this letter.\nThe material weakness and other comments described herein have been discussed with the\nappropriate members of management, or communicated through a Notice of Finding and\nRecommendation (NFR), and are intended For Official Use Only. We aim to use our knowledge of\nDHS\xe2\x80\x99 organization gained during our audit engagement to make comments and suggestions that we\nhope will be useful to you. We have not considered internal control since the date of our\nIndependent Auditors\xe2\x80\x99 Report.\nThe Table of Contents on the next page identifies each section of the letter. We have provided a\ndescription of key DHS financial systems within the scope of the FY 2011 DHS financial statement\naudit engagement in Appendix A; a description of each internal control finding in Appendix B; and\nthe current status of the prior year NFRs in Appendix C. Our comments related to financial\nmanagement and reporting internal controls (comments not related to IT) have been presented in a\nseparate letter to the Office of Inspector General and the DHS Chief Financial Officer.\n\nThis report is intended solely for the information and use of DHS management, DHS Office of\nInspector General (OIG), U.S. Office of Management and Budget (OMB), U.S. Government\nAccountability Office (GAO), and the U.S. Congress, and is not intended to be and should not be\nused by anyone other than these specified parties.\n\nVery truly yours,\n\x0c                              Department of Homeland Security\n\n                          Federal Emergency Management Agency\n\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n              INFORMATION TECHNOLOGY MANAGEMENT LETTER\n\n                                      TABLE OF CONTENTS\n\n                                                                                                Page\n\nObjective, Scope, and Approach                                                                   1\n\nSummary of Findings and Recommendations                                                          3\n\nGeneral IT Control Findings and Recommendations                                                  5\n\n       Configuration Management                                                                  5\n\n       Security Management                                                                       6\n\n             After \xe2\x80\x93 Hours Physical Security Testing                                             7\n\n             Social Engineering Testing                                                          8\n\n       Access Controls                                                                           8\n\n       Segregation of Duties                                                                     9\n\n       Contingency Planning                                                                      9\n\nApplication Controls                                                                            14\n\n\n\n                                          APPENDICES\n\nAppendix                                        Subject                                         Page\n\n           Description of Key FEMA Financial Systems and IT Infrastructure within the Scope \n\n   A                                                                                             15\n           of the FY 2011 DHS Financial Statement Audit\n\n   B       FY 2011 Notices of IT Findings and Recommendations at the FEMA                        18\n\n               \xe2\x80\xa2   Notice of Findings and Recommendations \xe2\x80\x93 Definition of Severity Ratings       19\n\n           Status of Prior Year Notices of Findings and Recommendations and Comparison to \n\n   C                                                                                             25\n\n           Current Year Notices of Findings and Recommendations at the FEMA\n\n   D       Report Distribution                                                                   29\n\n\n\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n\x0c                              Department of Homeland Security\n\n                          Federal Emergency Management Agency\n\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n                         OBJECTIVE, SCOPE, AND APPROACH\n\nWe have audited the U.S. Department of Homeland Security\xe2\x80\x99s (DHS or Department) balance sheet\nas of September 30, 2011, and the related statement of custodial activity for the year then ended.\nWe were also engaged to examine the Department\xe2\x80\x99s internal control over financial reporting of the\nbalance sheet as of September 30, 2011 and the statement of custodial activity for the year then\nended. During our fiscal year (FY) 2011 financial statement audit, we performed an evaluation of\ngeneral information technology (IT) controls (GITC) at the Federal Emergency Management\nAgency (FEMA). The Federal Information System Controls Audit Manual (FISCAM), issued by\nthe U.S. Government Accountability Office (GAO), formed the basis of our GITC evaluation\nprocedures. The scope of the GITC evaluation is further described in Appendix A.\n\nFISCAM was designed to inform financial auditors about IT controls and related audit concerns to\nassist them in planning their audit work and to integrate the work of auditors with other aspects of\nthe financial audit. FISCAM also provides guidance to IT auditors when considering the scope and\nextent of review that generally should be performed when evaluating general controls and the IT\nenvironment of a federal agency. FISCAM defines the following five control functions to be\nessential to the effective operation of the GITC environment:\n\n\xe2\x80\xa2\t Security Management (SM) \xe2\x80\x93 Controls that provide a framework and continuing cycle of\n   activity for managing risk, developing security policies, assigning responsibilities, and\n   monitoring the adequacy of computer-related security controls.\n\xe2\x80\xa2\t Access Control (AC) \xe2\x80\x93 Controls that limit or detect access to computer resources (data,\n   programs, equipment, and facilities) and protect against unauthorized modification, loss, and\n   disclosure.\n\xe2\x80\xa2\t Configuration Management (CM) \xe2\x80\x93 Controls that help to prevent unauthorized changes to\n   information system resources (software programs and hardware configurations) and provide\n   reasonable assurance that systems are configured and operating securely and as intended.\n\xe2\x80\xa2\t Segregation of Duties (SD) \xe2\x80\x93 Controls that constitute policies, procedures, and an organizational\n   structure to manage who can control key aspects of computer-related operations.\n\xe2\x80\xa2\t Contingency Planning (CP) \xe2\x80\x93 Controls that involve procedures for continuing critical operations\n   without interruption, or with prompt resumption, when unexpected events occur.\n\nTo complement our GITC audit procedures, we also performed technical security testing for key\nnetwork and system devices, as well as testing over certain key financial application controls in the\nFEMA environment. The technical security testing was performed from within a select FEMA\nfacility and focused on production devices that directly support FEMA\xe2\x80\x99s financial processing and\nkey general support systems. Limited social engineering and after-hours physical security testing\nwas also included in the scope of technical security testing.\n\nIn addition to testing FEMA\xe2\x80\x99s general control environment, we performed application control tests\non a limited number of FEMA\xe2\x80\x99s financial systems and applications, specifically those supporting\nthe National Flood Insurance Program (NFIP). The application control testing was performed to\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 1\n\n\x0c                              Department of Homeland Security\n\n                          Federal Emergency Management Agency\n\n                          Information Technology Management Letter\n                                     September 30, 2011\n\nassess the controls that support the financial systems\xe2\x80\x99 internal controls over the input, processing,\nand output of financial data and transactions.\n\n\xe2\x80\xa2\t Application Controls (APC) - Application controls are the structure, policies, and procedures\n   that apply to separate, individual application systems, such as accounts payable, inventory, or\n   payroll.\n\n\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 2\n\n\x0c                              Department of Homeland Security\n\n                          Federal Emergency Management Agency\n\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n               SUMMARY OF FINDINGS AND RECOMMENDATIONS\n\nDuring FY 2011, FEMA took corrective action to address certain prior year IT control weaknesses.\nFor example, FEMA made improvements over implementing certain logical controls over FEMA\nand NFIP information systems, as well as development and implementation of controls around\npatch management and vulnerability management. Additionally, we noted improvement in the\nareas of certain IT entity-level controls, including those related to incident response and handling,\ncontractor management, and IT investment life cycle management. However, during FY 2011, we\ncontinued to identify IT general control weaknesses that could potentially impact FEMA\xe2\x80\x99s financial\ndata. The most significant weaknesses from a financial statement audit perspective related to\ncontrols over security management, access control, configuration management, and contingency\nplanning for the Integrated Financial Management Information System (IFMIS)-Merger, financial\napplications within the previous National Emergency Management Information System\naccreditation boundary (hereinafter referred to as \xe2\x80\x9cNEMIS\xe2\x80\x9d), Payment and Reporting System\n(PARS), Traverse, Transaction Record Reporting and Processing (TRRP), and associated General\nSupport System (GSS) environments, as well as weaknesses over physical security and security\nawareness.\n\nCollectively, the IT control weaknesses limited FEMA\xe2\x80\x99s ability to ensure that critical financial and\noperational data were maintained in such a manner to ensure confidentiality, integrity, and\navailability. In addition, these weaknesses negatively impacted the internal controls over FEMA\nfinancial reporting and its operation, and we consider them to collectively contribute to a material\nweakness at the DHS level under standards established by the American Institute of Certified Public\nAccountants (AICPA). In addition, based upon the results of our test work, we noted that FEMA\ndid not fully comply with the requirements of the Federal Financial Management Improvement Act\nof 1996 (FFMIA).\n\nOf the 48 findings identified during our FY 2011 testing, 40 were repeat findings, either partially or\nin whole from the prior year, and 8 were new IT findings. These findings represent weaknesses in\neach of the five FISCAM key control areas.\n\nThe majority of findings resulted from the lack of properly designed, detailed, and consistent\nguidance over financial system controls to enforce DHS Sensitive Systems Policy Directive 4300A,\nInformation Technology Security Program, requirements and National Institute of Standards and\nTechnology (NIST) guidance. Specifically, the findings stem from: 1) the lack of formal\ndesignation of financial system security responsibilities, 2) inadequately designed and operating\naccess control policies and procedures relating to the management of access to financial\napplications, databases, and support systems, and supervisor recertification of user access\nprivileges, 3) insufficient logging of system events and monitoring of audit logs, 4) inadequately\ndesigned and operating configuration management policies and procedures, 5) patch, configuration,\nand vulnerability management control deficiencies within the system, 6) financial systems that were\nnot properly certified and accredited and authorized to operate, and 7) the lack of adequately\ndocumented or tested contingency plans. These weaknesses may increase the risk that the\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 3\n\n\x0c                             Department of Homeland Security\n\n                         Federal Emergency Management Agency\n\n                         Information Technology Management Letter\n                                    September 30, 2011\n\nconfidentiality, integrity, and availability of system controls and FEMA financial data could be\nexploited; thereby compromising the integrity of FEMA financial data used by management and\nreported in the DHS financial statements.\n\nWhile the recommendations made by us should be considered by FEMA, it is the ultimate\nresponsibility of FEMA management to determine the most appropriate method(s) for addressing\nthe weaknesses identified based on their system capabilities and available resources.\n\n\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 4\n\n\x0c                             Department of Homeland Security\n\n                         Federal Emergency Management Agency\n\n                         Information Technology Management Letter\n                                    September 30, 2011\n\n         GENERAL IT CONTROL FINDINGS AND RECOMMENDATIONS\n\nFindings:\n\nDuring the FY 2011 DHS financial statement audit, we identified the following IT and financial\nsystem control deficiencies at FEMA that collectively contribute to an IT material weakness at the\nDepartment level. Our findings focused on financial systems controls as testing over IT system\nfunctionality could not be conducted.\n\nConfiguration Management\n\n        \xe2\x80\xa2\t Password, security patch management, and configuration deficiencies were identified\n           during the vulnerability assessment on hosts supporting IFMIS-Merger, NEMIS, and\n           general support systems;\n        \xe2\x80\xa2\t Formal procedures for conducting internal scans of servers supporting NEMIS did not\n           define requirements or procedures to ensure that system owners are aware of, and\n           appropriately execute, responsibilities associated with vulnerability management for the\n           system components under their area of responsibility. Additionally, vulnerabilities\n           identified on NEMIS system components were not consistently tracked or monitored\n           via the Plan of Actions & Milestones (POA&M) process;\n        \xe2\x80\xa2\t Formalized configuration management plans for NEMIS and IFMIS-Merger were not\n           documented to ensure that changes were adequately and centrally controlled,\n           documented, or managed throughout the lifecycle of the FEMA configuration\n           management process;\n        \xe2\x80\xa2\t No formalized change management procedures existed for the use of shared accounts\n           for deploying changes to the NEMIS production environment or to ensure that the\n           movement of production code for NEMIS is appropriately controlled or monitored.\n           Additionally, evidence could not be provided that management had appropriately\n           restricted and controlled access to the NEMIS production application, web, and\n           database servers for the deployment of changes;\n        \xe2\x80\xa2\t Configuration management policies and procedures did not include comprehensive\n           requirements for the frequency, documentation, and performance of monitoring audits\n           for configuration baselines for all relevant network devices such as firewalls, routers,\n           and switches that support financial systems to ensure that configuration items (CIs)\n           within the scope of financial systems are documented and monitored in accordance with\n           FEMA policy. Additionally, configuration changes which were implemented over these\n           devices were not consistently or adequately documented or authorized;\n        \xe2\x80\xa2\t A formalized process for modifying IFMIS-Merger system security functions to ensure\n           that appropriate privileges are created, documented, approved, and monitored did not\n           exist;\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 5\n\n\x0c                            Department of Homeland Security\n\n                        Federal Emergency Management Agency\n\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n       \xe2\x80\xa2\t Formal procedures were not implemented to require monitoring of changes deployed to\n          IFMIS-Merger program libraries to review and validate implemented changes.\n          Furthermore, informal reviews of developer activities that were conducted did not\n          provide enough information to ensure that the approved changes were implemented;\n       \xe2\x80\xa2\t For a majority of the fiscal year, formal procedures for conducting internal scans of the\n          NFIP Local Area Network (LAN) supporting Traverse did not incorporate all\n          components of the system environment to ensure that scans were properly conducted\n          and monitored by FEMA or NFIP contractor management. Additionally, a formal\n          process did not exist for the remediation of vulnerabilities identified during internal\n          scans to ensure that the vulnerabilities were tracked and monitored via the POA&M\n          process;\n       \xe2\x80\xa2\t The configuration management plans for Traverse and TRRP did not comprehensively\n          provide guidance to address all configuration management control elements required by\n          FEMA and DHS policy for standard and emergency changes;\n       \xe2\x80\xa2\t TRRP changes were not approved prior to development and implementation into\n          production;\n       \xe2\x80\xa2\t Formalized processes were not properly or comprehensively documented and\n          implemented to ensure that FEMA management within the Federal Insurance and\n          Mitigation Administration (FIMA), Risk Insurance Division (RID), were adequately\n          involved in configuration management activities over Traverse and TRRP;\n       \xe2\x80\xa2\t Documentation supporting the logical components of the TRRP environment was not\n          current or complete; and\n       \xe2\x80\xa2\t For a majority of the fiscal year, documented change management procedures did not\n          include requirements for approving, testing, and ensuring timely installation of\n          operating system patches for all components of the NFIP LAN supporting Traverse.\n\nSecurity Management\n\n       \xe2\x80\xa2\t Policies and procedures requiring the completion and tracking of specialized training\n          for FEMA employees and contractors identified as possessing significant information\n          security responsibilities had not been fully implemented as required by DHS policy;\n       \xe2\x80\xa2\t Certification and accreditation (C&A) activities for IFMIS-Merger and the NFIP IT\n          environment were not completed in accordance with DHS and NIST requirements;\n       \xe2\x80\xa2\t The FEMA Switch Network (FSN)-2 C&A package was not completed in compliance\n          with DHS and NIST requirements and had not been updated to reflect the current\n          operating environment. Additionally, the Authorization to Operate (ATO) expired in\n          January 2010 and was not renewed. As a result, the FSN-2 GSS was operating without\n          a valid ATO;\n\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 6\n\n\x0c                               Department of Homeland Security\n\n                           Federal Emergency Management Agency\n\n                           Information Technology Management Letter\n                                      September 30, 2011\n\n        \xe2\x80\xa2\t Although the FSN-2 C&A package references various subsystems supporting and\n           hosting IFMIS and NEMIS, FEMA management was unable to identify and confirm the\n           FSN-2 subsystems (including regional LANs) that host all the production servers for\n           NEMIS and IFMIS applications;\n        \xe2\x80\xa2\t Documentation associated with the C&A package for NEMIS, including the system\n           security plan (SSP) and ATO, expired and was not renewed;\n        \xe2\x80\xa2\t IT security management responsibilities were not consistently or adequately assigned\n           and performed over the FEMA POA&M process for FY 2010 IT audit findings, in\n           accordance with DHS guidance; and\n        \xe2\x80\xa2\t Suitability investigations for FEMA Federal employees and contractors accessing DHS\n           IT systems were not appropriately conducted, and results were not properly\n           documented or tracked.\n\n\nAfter-Hours Physical Security Testing:\n\nWe performed after-hours physical security testing to identify risks related to non-technical aspects\nof IT security. These non-technical IT security aspects included physical access to media and\nequipment that housed financial data and information residing on a FEMA employee\xe2\x80\x99s /\ncontractor\xe2\x80\x99s desk which could be used by others to gain unauthorized access to systems housing\nfinancial information. The specific results are listed below:\n\n                                                      FEMA Locations Tested\n                                            Washington                      FEMA            Total\n                                             Design          Patriots       Finance       Exceptions\n            Exceptions Noted                 Center           Plaza         Center         by Type\nPasswords                                        3              6              13             22\nFor Official Use Only (FOUO)                     2              2               0              4\nKeys                                             0              0               0              0\nPersonally Identifiable Information (PII)        6              2               2             10\nUnlocked Laptops                                 3              1               1              5\nServer Names/ IP Addresses                       1              1               0              2\nCredit Cards                                     0              0               0              0\nClassified Documents                             0              0               0              0\nUnlocked Workstations                            1              0               0              1\nTotal by Location                                16             12             16             44\n\n\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 7\n\n\x0c                               Department of Homeland Security\n\n                           Federal Emergency Management Agency\n\n                           Information Technology Management Letter\n                                      September 30, 2011\n\nSocial Engineering Testing:\n\nSocial engineering is defined as the act of attempting to manipulate or deceive individuals into\ntaking action that is inconsistent with DHS policies, such as divulging sensitive information or\nallowing/enabling computer system access. The term typically applies to trickery or deception for\nthe purpose of information gathering or gaining computer system access. During the social\nengineering testing, while several personnel provided us with user IDs, no passwords were divulged\nor compromised. The specific results of our testing are documented in the following table:\n\n                                            Number of\n                                                                Number of            Number of\n                                          Personnel Who\n  Testing         Total        Total                          Personnel Who        Personnel Who\n                                          Provided Their\n   Date           Called      Answered                        Provided Their       Provided Their\n                                           User ID and\n                                                               User ID Only        Password Only\n                                            Password\n06/02/2011         45            17              0                   10                   0\n07/13/2011         35            8               0                    6                   0\n\nAccess Controls\n\n        \xe2\x80\xa2\t Procedures for managing and periodically reviewing physical access to the facility\n           hosting the NFIP LAN and Traverse were not formally documented or implemented\n           and did not require documentation of periodic reviews for a majority of the fiscal year.\n           Additionally, physical access privileges were not consistently or properly authorized;\n        \xe2\x80\xa2\t IFMIS-Merger, NEMIS, Traverse, and PARS application and/or database accounts,\n           network accounts, and remote user accounts were not periodically reviewed for\n           appropriateness and/or were not fully and accurately recertified in accordance with\n           FEMA and DHS policy, resulting in inappropriate authorizations and excessive user\n           access privileges;\n        \xe2\x80\xa2\t IFMIS-Merger and NEMIS application accounts, network accounts, and remote user\n           accounts were not disabled or removed promptly upon personnel termination;\n        \xe2\x80\xa2\t Initial and modified access granted to TRRP application and FEMA network and\n           remote users was not properly documented and authorized;\n        \xe2\x80\xa2\t Documented procedures for auditing NEMIS, IFMIS-Merger, and PARS databases\n           were not comprehensive and did not meet DHS requirements. Additionally, for these\n           financial systems, the NFIP LAN, Traverse, and TRRP, logging of operating system,\n           application, and/or database events required to be recorded were not enabled for some\n           or all of the events, audit logs were not appropriately reviewed and/or were reviewed by\n           those with conflicting roles, and evidence of audit log reviews was not retained;\n        \xe2\x80\xa2\t The Standard Operating Procedure (SOP) for monitoring sensitive access to NEMIS\n           operating system software was not implemented and did not include all operating\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 8\n\n\x0c                             Department of Homeland Security\n\n                         Federal Emergency Management Agency\n\n                         Information Technology Management Letter\n                                    September 30, 2011\n\n            system servers that were within the scope of the previous NEMIS accreditation\n            boundary. Additionally, no application or tool was in place to support the audit logging\n            function on the NEMIS servers;\n        \xe2\x80\xa2\t Strong password requirements were not enforced on the NEMIS databases, the NFIP\n           LAN, or Traverse;\n        \xe2\x80\xa2\t FEMA\xe2\x80\x99s process for authorizing and managing remote virtual private network (VPN)\n           access to external state emergency management agencies and FEMA contractors did\n           not comply with DHS and FEMA requirements. Specifically, existing documentation\n           did not define the requirements for administering the site survey process with external\n           organizations seeking VPN access or identify FEMA roles and responsibilities for\n           managing VPN access granted to external individuals using non-DHS equipment to\n           access the FEMA network;\n        \xe2\x80\xa2\t Two-factor authentication was not used for VPN access, as required by DHS policy;\n        \xe2\x80\xa2\t System administrator root access to IFMIS-Merger was not properly restricted, logged,\n           and monitored; and\n        \xe2\x80\xa2\t Emergency and temporary access to the IFMIS-Merger databases was not properly\n           authorized.\n\nSegregation of Duties \xe2\x80\x93 we identified segregation of duties weaknesses associated with other\nFISCAM areas. Specifically, weaknesses in those areas pertain to access controls over audit log\nreviews and configuration management controls for migrating code into production. See those\nrespective sections for additional information.\n\nContingency Planning\n\n        \xe2\x80\xa2\t Documented procedures that outline processes for performing backups of NEMIS\n           production databases and for rotating and physically securing backup tapes off-site had\n           not been formally defined;\n        \xe2\x80\xa2\t NEMIS backup tapes were not regularly tested in accordance with FEMA and DHS\n           policy;\n        \xe2\x80\xa2\t An alternate processing site for NEMIS was not established and implemented.\n           Additionally, an exception to DHS policy for the lack of an established alternate\n           processing site, as required for systems such as NEMIS that are categorized as \xe2\x80\x9chigh\n           impact\xe2\x80\x9d for availability, had not been requested by FEMA (this weakness is enhanced\n           due to the control deficiencies noted above associated with performance and testing of\n           NEMIS data backups);\n        \xe2\x80\xa2\t The most recent NEMIS contingency plan had expired and had not been revised or\n           approved by FEMA management. Additionally, full scale testing of the NEMIS\n           contingency plan was not conducted;\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                       Page 9\n\n\x0c                            Department of Homeland Security\n\n                        Federal Emergency Management Agency\n\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n       \xe2\x80\xa2\t For a majority of the fiscal year, the existing NFIP LAN and Traverse contingency plan\n          was not updated or tested in compliance with DHS and NIST requirements; and\n       \xe2\x80\xa2\t The FIMA RID Continuity of Operations Plan (COOP), including Traverse and TRRP,\n          was not formally documented or approved until June 2011.\n\nRecommendations:\n\nWe recommend that the FEMA Chief Information Officer (CIO) and Chief Financial Officer\n(CFO), in coordination with the DHS OCFO and the DHS OCIO, make the following\nimprovements to FEMA\xe2\x80\x99s financial management systems and associated information technology\nsecurity program.\n\nFor Configuration Management\n\n       \xe2\x80\xa2\t Implement the specific vendor-recommended corrective actions detailed in the Notice\n          of Finding and Recommendation (NFR) that was issued for deficiencies identified\n          during our vulnerability assessment;\n       \xe2\x80\xa2\t Develop, finalize, and ensure that formal procedures are understood and implemented\n          by system owners for all NEMIS system components under their area of responsibility\n          for: conducting periodic internal vulnerability scans of all components of the system\n          and assessing, reporting, tracking, and monitoring correction of vulnerabilities\n          identified during internal scans;\n       \xe2\x80\xa2\t Develop and implement formal configuration management plans for NEMIS and\n          IFMIS-Merger to control emergency and non-emergency changes to financial systems\n          application software, and ensure consistent adherence with requirements for approving,\n          testing, documenting, properly controlling and tracking changes, and retaining related\n          documentation;\n       \xe2\x80\xa2\t Document and implement a formalized process and procedures for deploying NEMIS\n          changes to ensure that access to the NEMIS production application, web, and database\n          servers, including the use of shared accounts for movement of production code for the\n          NEMIS production environment, is appropriately controlled and monitored;\n       \xe2\x80\xa2\t Revise and fully implement configuration management policies and procedures over\n          documenting and maintaining current baseline configurations for network devices\n          supporting financial applications, including IFMIS-Merger, to ensure DHS and FEMA\n          requirements are adequately addressed, configuration baselines are comprehensively\n          documented, and configuration changes to network devices are consistently\n          documented and authorized by FEMA. Additionally, policies and procedures should\n          include guidance over requirements such as roles and responsibilities, documentation of\n          baselines, periodic review and auditing, and approval of baseline changes for network\n          devices;\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                      Page 10\n\n\x0c                             Department of Homeland Security\n\n                         Federal Emergency Management Agency\n\n                         Information Technology Management Letter\n                                    September 30, 2011\n\n       \xe2\x80\xa2\t Develop and implement formal procedures for conducting periodic reviews of changes\n          deployed to IFMIS-Merger program libraries to verify that only authorized changes are\n          implemented into production and for retaining evidence of reviews conducted on file;\n       \xe2\x80\xa2\t Update the current versions of Traverse and TRRP configuration management plans\n          and procedures to comprehensively address DHS and FEMA requirements; procedures\n          should fully incorporate FIMA RID management in required configuration\n          management activities and establish a process for conducting, validating, documenting,\n          and approving tests of configuration changes prior to implementation as well as\n          conducting post-deployment verification activities. Additionally, ensure the consistent\n          implementation of configuration management procedures for all changes to Traverse\n          and TRRP;\n       \xe2\x80\xa2\t Update TRRP system documentation to fully reflect all current system components,\n          including logical datasets associated with the production and test environments; and\n       \xe2\x80\xa2\t Fully implement comprehensive patch management policies and procedures to ensure\n          that required operating system patches for all components of the NFIP LAN supporting\n          Traverse are authorized, tested, and implemented.\n\nFor Security Management\n\n       \xe2\x80\xa2\t Fully implement policies and procedures requiring initial and periodic specialized\n          training for individuals with significant information security responsibilities to ensure\n          that training requirements for all individuals possessing specific roles and positions\n          associated with significant information security responsibilities are tracked;\n       \xe2\x80\xa2\t Document or update all required C&A artifacts for NEMIS, IFMIS-Merger, Traverse,\n          TRRP, the NFIP LAN, and FSN-2 in accordance with DHS policy and NIST guidance.\n          Additionally, ensure that C&A artifacts, including the risk assessment or the results of\n          the required risk assessment activities, the Security Testing and Evaluation (ST&E),\n          and the Security Assessment Report (SAR) are conducted and documented over all\n          components of the systems in accordance with established DHS baseline controls\n          according to the security categorization of the system;\n       \xe2\x80\xa2\t Establish and document a formalized process to provide IT security management\n          oversight to ensure that adequate periodic review and assessment of security controls\n          are performed and corrective actions are appropriately assigned and implemented over\n          identified security weaknesses through the POA&M process;\n       \xe2\x80\xa2\t Further refine processes to ensure that background investigations for all types of\n          Federal employees and contractors are consistently performed and centrally tracked in\n          accordance with DHS policy;\n       \xe2\x80\xa2\t Review the effectiveness of existing security awareness programs designed to protect\n          \xe2\x80\x9cneed-to-know\xe2\x80\x9d information, including IT system access credentials, electronic and\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                      Page 11\n\n\x0c                            Department of Homeland Security\n\n                        Federal Emergency Management Agency\n\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n           physical data, PII, and FOUO agency information, and ensure that individuals are\n           adequately instructed and reminded of their roles in the protection of sensitive system\n           information from unauthorized individuals through formal, periodic communications\n           and/or security awareness training.\n\nFor Access Controls\n\n       \xe2\x80\xa2\t Fully establish and/or implement user account management recertification processes\n          and require completion of periodic reviews of all user accounts for appropriate access\n          and documentation of current user profiles for IFMIS-Merger, NEMIS, Traverse, and\n          PARS; the FEMA network and remote user accounts; and physical access to the facility\n          hosting the computer room supporting the NFIP LAN and the Traverse application.\n          The processes should include revocation of accounts or access privileges that cannot be\n          verified during recertification processes;\n       \xe2\x80\xa2\t Update, as necessary, and consistently implement procedures and processes to ensure\n          that all system accounts, including remote access accounts, of terminated employees\n          and contractors are immediately removed/disabled upon their departure;\n       \xe2\x80\xa2\t Review and revise existing procedures to require documented authorization of new and\n          modified user accounts by supervisors, program managers, and contracting officers\xe2\x80\x99\n          technical representatives in accordance with DHS requirements;\n       \xe2\x80\xa2\t Revise and implement detailed procedures requiring the consistent and timely review of\n          IFMIS-Merger, NEMIS, PARS, NFIP LAN, Traverse, and TRRP database, application,\n          and operating system logs and the maintenance of documentation supporting such\n          reviews in accordance with DHS requirements. These procedures should also\n          incorporate segregation of duties principles;\n       \xe2\x80\xa2\t Configure audit logs for financial databases and applications to ensure that auditable\n          events, as required by DHS policy, are recorded and appropriately reviewed by\n          personnel without conflicting duties, and sufficient evidence is retained;\n       \xe2\x80\xa2\t Revise, implement, and ensure adherence to the SOP for monitoring sensitive access to\n          NEMIS operating system software to ensure that the scope of the procedures includes\n          all defined NEMIS servers, and deploy the appropriate tool(s) to support audit logging\n          functions on the NEMIS servers, in accordance with FEMA and DHS policy;\n       \xe2\x80\xa2\t Configure NEMIS databases and NFIP LAN and Traverse accounts to enforce strong\n          password and authenticator control requirements, and ensure that individuals with\n          system/database administration and security responsibilities are aware of and properly\n          trained in DHS, FEMA, and Federal requirements;\n       \xe2\x80\xa2\t Revise and implement policies and procedures for documenting, reviewing, and\n          approving the security controls in place over non-DHS equipment connecting to the\n          FEMA network via VPN access, and ensure that roles, responsibilities, and security\n          requirements for authorizing and managing VPN access for external organizations\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                      Page 12\n\n\x0c                            Department of Homeland Security\n\n                        Federal Emergency Management Agency\n\n                        Information Technology Management Letter\n                                   September 30, 2011\n\n           connecting to the FEMA network are defined and implemented in accordance with\n           DHS and FEMA policy;\n       \xe2\x80\xa2\t Implement two-factor authentication for all remote access to the FEMA network;\n       \xe2\x80\xa2\t Develop and implement policies and procedures that document the process of adding,\n          deleting, and modifying IFMIS-Merger security functions to ensure that the proper\n          controls are in place for modifying user account privileges. Additionally, ensure that\n          the use of function modification privileges is monitored;\n       \xe2\x80\xa2\t Develop and implement procedures for monitoring IFMIS system administrator and\n          highly-privileged account activities and restricting access to the root account, and\n          ensure that reviews of system logs and records are properly conducted; and\n       \xe2\x80\xa2\t Consistently implement a formal process for granting IFMIS-Merger emergency and\n          temporary database access that includes segregation of duties considerations and\n          appropriate approval from FEMA management, as required by DHS policy.\n\nFor Contingency Planning\n\n       \xe2\x80\xa2\t Complete on-going efforts to establish and implement an alternate processing site for\n          NEMIS;\n       \xe2\x80\xa2\t Ensure that a formal process is established, documented, and implemented to fully\n          backup all necessary components of the NEMIS databases, secure backup media off-\n          site, and periodically test NEMIS backup media at a frequency that is in accordance\n          with FEMA and DHS policy; and\n       \xe2\x80\xa2\t Update the NEMIS contingency plan in accordance with DHS requirements for high\n          impact availability systems, inclusive of accurate system architecture information;\n          conduct documented annual tests of the plan; and as necessary, update the plan with\n          lessons learned from testing.\n\n\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                      Page 13\n\n\x0c                             Department of Homeland Security\n\n                         Federal Emergency Management Agency\n\n                         Information Technology Management Letter\n                                    September 30, 2011\n\n                                APPLICATION CONTROLS\n\nWe concluded that application controls over NEMIS, IFMIS-Merger, and PARS could not be relied\nupon for purposes of our FY 2011 audit procedures because of the nature of the general IT control\ndeficiencies identified and discussed above. As a result, we did not test application controls for\nthese financial systems. However, we conducted certain application control testing over key\nfinancial systems supporting NFIP. Based on the testwork conducted, we did not identify any\nfindings in the area of application controls related to NFIP during the FY 2011 DHS financial\nstatement audit.\n\n\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                      Page 14\n\n\x0c                                                                    Appendix A\n\n                      Department of Homeland Security\n\n                  Federal Emergency Management Agency\n\n                  Information Technology Management Letter\n\n                             September 30, 2011\n\n\n\n\n                               Appendix A\n\n\n     Description of Key FEMA Financial Systems and IT \n\nInfrastructure within the Scope of the FY 2011 DHS Financial \n\n                       Statement Audit\n\n\n\n\n\nInformation Technology Management Letter for the Federal Emergency Management\n\n          Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                    Page 15\n\n\x0c                                                                                       Appendix A\n                              Department of Homeland Security\n                          Federal Emergency Management Agency\n                          Information Technology Management Letter\n                                     September 30, 2011\n\n\nBelow is a description of significant Federal Emergency Management Agency (FEMA) financial\nmanagement systems and supporting information technology (IT) infrastructure included in the\nscope of the Department of Homeland Security (DHS) fiscal year (FY) 2011 financial statement\naudit.\n\nLocations of Testing FEMA Headquarters in Washington, D.C.; the Mount Weather Emergency\nOperations Center in Virginia; IT operations in Virginia; the National Flood Insurance Program\n(NFIP) in Virginia; and the NFIP contractor location in Maryland.\n\nSystems Subject to Audit:\n\nIntegrated Financial Management Information System \xe2\x80\x93 Merger (IFMIS-Merger)\n\nIFMIS-Merger is the official accounting system of FEMA and maintains all financial data for\ninternal and external reporting. IFMIS-Merger is comprised of five subsystems: Funding, Cost\nPosting, Disbursements, Accounts Receivable, and General Ledger. The application is a\nCommercial Off-The Shelf (COTS) software package developed and maintained by Digital Systems\nGroup Incorporated (DSG). IFMIS-Merger interfaces with Payment and Reporting System (PARS),\nProTrac, Smartlink (Department of Health and Human Services), Treasury Information Executive\nRepository (TIER) (Department of the Treasury), Secure Payment System (SPS) (Department of the\nTreasury), Grants Management System (Department of Justice), National Emergency Management\nInformation System (NEMIS), U.S. Coast Guard Credit Card System, Credit Card Transaction\nManagement System (CCTMS), Fire Grants, eGrants, Enterprise Data Warehouse (EDW), and\nPayroll (Department of Agriculture National Finance Center). IFMIS-Merger is located in Virginia.\n\nPayment and Reporting System (PARS)\n\nPARS is a standalone web-based application. The PARS database resides on the IFMIS-Merger\nUNIX server and is incorporated within the Certification & Accreditation (C&A) boundary for that\nsystem. Through its web interface, PARS collects Standard Form 425 information from grantees\nand stores the information in its Oracle 9i database. Automated cron jobs are run daily to update and\ninterface grant and obligation information between PARS and IFMIS-Merger. All payments to\ngrantees are made through IFMIS-Merger. PARS interfaces with IFMIS-Merger and is located in\nVirginia.\n\nNational Emergency Management Information System (NEMIS)\n\nNEMIS is a FEMA-wide General Support System (GSS) integrating hardware, software,\ntelecommunications infrastructure, and Web-based and client-server services and applications.\nNEMIS consists of many integrated subsystems distributed over hundreds of separate servers\naccessed by thousands of client workstations.\n\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                      Page 16\n\n\x0c                                                                                       Appendix A\n                              Department of Homeland Security\n                          Federal Emergency Management Agency\n                          Information Technology Management Letter\n                                     September 30, 2011\n\nNEMIS is an integrated system to provide FEMA, the states, and other Federal agencies with\nfunctionality and automation to perform disaster-related operations. The subsystems and\napplications incorporated within NEMIS support all phases of emergency management and provide\nfinancial related data to IFMIS-Merger via automated interfaces. NEMIS interfaces with IFMIS-\nMerger, U.S. Coast Guard Credit Card System, and Small Business Administration. The production\nenvironment for NEMIS is geographically distributed nationwide but is principally administered\nand managed in Virginia.\n\nTraverse\n\nTraverse is the general ledger application currently used by the National Flood Insurance Program\n(NFIP) Bureau and Statistical Agent to generate the NFIP financial statements. Traverse is a client-\nserver application that runs on the NFIP Local Area Network (LAN) Windows server environment\nin Maryland. The Traverse client is installed on the desktop computers of the NFIP Bureau of\nFinancial Statistical Control group members. Traverse has no known system interfaces.\n\nTransaction Recording and Reporting Processing (TRRP)\n\nThe TRRP application acts as a central repository of all data submitted by the Write Your Own\n(WYO) companies and the Direct Servicing Agent (DSA) for the NFIP. TRRP also supports the\nWYO program, primarily by ensuring the quality of financial data submitted by the WYO\ncompanies and DSA to TRRP. TRRP is a mainframe-based application that runs on the NFIP\nmainframe logical partition in Connecticut. TRRP has no known system interfaces.\n\n\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                      Page 17\n\n\x0c                                                                    Appendix B\n\n                      Department of Homeland Security\n\n                  Federal Emergency Management Agency\n\n                  Information Technology Management Letter\n\n                             September 30, 2011\n\n\n\n\n                               Appendix B\n\n\nFY 2011 Notices of IT Findings and Recommendations at the \n\n                          FEMA\n\n\n\n\n\nInformation Technology Management Letter for the Federal Emergency Management\n\n          Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                    Page 18\n\n\x0c                                                                                     Appendix B\n                             Department of Homeland Security\n                         Federal Emergency Management Agency\n                         Information Technology Management Letter\n                                    September 30, 2011\n\nNotice of Findings and Recommendations (NFR) \xe2\x80\x93 Definition of Severity Ratings:\n\nEach NFR listed in Appendix B is assigned a severity rating from 1 to 3 indicating the influence on\nthe Department of Homeland Security (DHS) Consolidated Independent Auditors\xe2\x80\x99 Report.\n\n      1 \xe2\x80\x93 Not substantial \n\n      2 \xe2\x80\x93 Less significant\n\n      3 \xe2\x80\x93 More significant\n\n\nThe severity ratings indicate the degree to which the deficiency influenced the determination of\nseverity for consolidated reporting purposes.\n\nThese ratings are provided only to assist the Federal Emergency Management Agency (FEMA) in\nprioritizing the development of its corrective action plans for remediation of the deficiency.\n\n\n\n\n  Information Technology Management Letter for the Federal Emergency Management\n\n            Agency Component of the FY 2011 DHS Financial Statement Audit\n\n                                      Page 19\n\n\x0c                                                                                                                            Appendix B\n                                                     Department of Homeland Security\n                                                 Federal Emergency Management Agency\n                                                 Information Technology Management Letter\n                                                            September 30, 2011\n\n                                                                                                2011 Severity                  Repeat\nFY 2011 NFR #                          NFR Title                         FISCAM Control Area       Rating       New Issue       Issue\nFEMA-IT-11-01   Alternate Processing Site for the National Emergency\n                Management Information System (NEMIS) Has Not            Contingency Planning        3                           X\n                Been Established\nFEMA-IT-11-02   Weaknesses Exist in the Certification & Accreditation\n                (C&A) Package for the FEMA Switched Network (FSN)\xc2\xad        Security Management        3                           X\n                2, which Includes the FEMA Local Area Network (LAN)\nFEMA-IT-11-03   Weaknesses Exist over the Authorization to Operate\n                                                                          Security Management        3                           X\n                (ATO) and C&A Documentation for NEMIS\nFEMA-IT-11-04   NEMIS Contingency Plan Does Not Comprehensively\n                Address the Requirements of DHS Policy and Has Not       Contingency Planning        3                           X\n                Been Adequately Tested\nFEMA-IT-11-05   Formalized Training Requirements for Individuals with\n                Significant Information Security Responsibilities Have\n                                                                          Security Management        2                           X\n                Not Been Fully Implemented and Role-Based Training is\n                Not Tracked or Monitored\nFEMA-IT-11-06   Documentation Supporting Integrated Financial\n                                                                             Configuration\n                Management Information System (IFMIS)-Merger User                                    2                           X\n                                                                             Management\n                Functions Does Not Exist\nFEMA-IT-11-07   Oracle Databases Supporting Financial Applications\n                within the Previous NEMIS Accreditation Boundary are        Access Controls          2                           X\n                Not Configured to Enforce Password Requirements\nFEMA-IT-11-08   Oracle Databases Supporting Financial Applications\n                within the Previous NEMIS Accreditation Boundary Do         Access Controls          3                           X\n                Not Adequately Enforce Account Lockout Requirements\n\n\n\n\nInformation Technology Management Letter for the Federal Emergency Management Agency Component of the FY 2011 DHS Financial\n\n                                                         Statement Audit \n\n                                                             Page 20\n\n\x0c                                                                                                                           Appendix B\n                                                     Department of Homeland Security\n                                                 Federal Emergency Management Agency\n                                                 Information Technology Management Letter\n                                                            September 30, 2011\n\n                                                                                               2011 Severity                  Repeat\nFY 2011 NFR #                          NFR Title                        FISCAM Control Area       Rating       New Issue       Issue\nFEMA-IT-11-09   Operating System Audit Logging on Servers Supporting\n                Financial Applications within the Previous NEMIS           Access Controls          3                           X\n                Accreditation Boundary is Not Adequate\nFEMA-IT-11-10   Weaknesses Existed over Contingency Planning, Testing\n                and Development of the Continuity of Operations Plan\n                                                                        Contingency Planning        1                           X\n                for the Transaction Record Reporting and Processing\n                (TRRP) Application and Traverse\nFEMA-IT-11-11   Recertification of NEMIS Access Control System\n                                                                           Access Controls          1                           X\n                Position Assignments is Incomplete\nFEMA-IT-11-12   Audit Logging on Databases Supporting Financial\n                Applications within the Previous NEMIS Accreditation       Access Controls          3                           X\n                Boundary is Not Adequate\nFEMA-IT-11-13   Weaknesses Exist over Vulnerability Management for\n                                                                            Configuration\n                Servers Supporting Financial Applications within the                                2                           X\n                                                                            Management\n                Previous NEMIS Accreditation Boundary\nFEMA-IT-11-14   National Flood Insurance Program (NFIP) Physical\n                Access Policies and Procedures were Not Appropriately      Access Controls          2             X\n                Documented and Implemented\nFEMA-IT-11-15   NFIP LAN and Traverse Account Security Configuration\n                                                                           Access Controls          1             X\n                Is Not in Compliance with DHS Policy\nFEMA-IT-11-16   TRRP Logical Access was Not Appropriately Authorized       Access Controls          2             X\nFEMA-IT-11-17   Weaknesses Exist over Configuration and Operating\n                                                                           Access Controls          2             X\n                Effectiveness of Traverse Audit Logs\nFEMA-IT-11-18   Monitoring of Configuration Changes Deployed to the         Configuration\n                                                                                                    3                           X\n                IFMIS-Merger Production Environment are Inadequate          Management\n\n\n\nInformation Technology Management Letter for the Federal Emergency Management Agency Component of the FY 2011 DHS Financial\n\n                                                         Statement Audit \n\n                                                             Page 21\n\n\x0c                                                                                                                             Appendix B\n                                                      Department of Homeland Security\n                                                  Federal Emergency Management Agency\n                                                  Information Technology Management Letter\n                                                             September 30, 2011\n\n                                                                                                 2011 Severity                  Repeat\nFY 2011 NFR #                           NFR Title                          FISCAM Control Area      Rating       New Issue       Issue\nFEMA-IT-11-19   Weaknesses Exist over Configuration Management\n                                                                               Configuration\n                Processes for Financial Applications within the Previous                              3                           X\n                                                                               Management\n                NEMIS Accreditation Boundary\nFEMA-IT-11-20   Weaknesses Exist over IFMIS-Merger Configuration               Configuration\n                                                                                                      3                           X\n                Management Processes                                           Management\nFEMA-IT-11-21   Weaknesses Exist over Recertification of Access to the\n                                                                              Access Controls         3                           X\n                IFMIS-Merger Application\nFEMA-IT-11-22   Weaknesses Exist over TRRP Mainframe Audit Logs               Access Controls         2                           X\nFEMA-IT-11-23   Emergency and Temporary Access to IFMIS-Merger is\n                                                                              Access Controls         2                           X\n                Not Properly Authorized\nFEMA-IT-11-24   Weaknesses Exist over IFMIS-Merger Application and\n                                                                              Access Controls         3                           X\n                Database Audit Logging\nFEMA-IT-11-25   IFMIS-Merger User Access was Not Managed in\n                                                                              Access Controls         1                           X\n                Accordance with Account Management Procedures\nFEMA-IT-11-26   Payment and Reporting System (PARS) Database\n                                                                              Access Controls         2                           X\n                Security Controls Are Not Appropriately Established\nFEMA-IT-11-27   NFIP LAN Audit Logging is Not Performed in\n                                                                              Access Controls         1                           X\n                Accordance with DHS and FEMA Requirements\nFEMA-IT-11-28   Individual User Virtual Private Network (VPN) Access\n                Accounts are Not Appropriately Authorized or                  Access Controls         3                           X\n                Recertified\nFEMA-IT-11-29   External Connections to the FEMA VPN Are Not\n                                                                              Access Controls         3                           X\n                Appropriately Authorized or Documented\nFEMA-IT-11-30   IFMIS-Merger System Software Administrator Activity\n                                                                              Access Controls         3                           X\n                Is Not Appropriately Restricted or Monitored\n\n\n\nInformation Technology Management Letter for the Federal Emergency Management Agency Component of the FY 2011 DHS Financial\n\n                                                         Statement Audit \n\n                                                             Page 22\n\n\x0c                                                                                                                            Appendix B\n                                                    Department of Homeland Security\n                                                Federal Emergency Management Agency\n                                                Information Technology Management Letter\n                                                           September 30, 2011\n\n                                                                                                2011 Severity                  Repeat\nFY 2011 NFR #                         NFR Title                          FISCAM Control Area       Rating       New Issue       Issue\nFEMA-IT-11-31   Weaknesses Exist over C&A Documentation for IFMIS-\n                                                                          Security Management        3                           X\n                Merger\nFEMA-IT-11-32   Risk Assessment Activities over NFIP IT Systems were\n                                                                          Security Management        2                           X\n                Not Adequately Performed\nFEMA-IT-11-33   Weaknesses Exist over Management and Technical\n                                                                            Access Controls          1                           X\n                Controls Associated with FEMA LAN Accounts\nFEMA-IT-11-34   Employee Termination Process for Removing System\n                                                                            Access Controls          3                           X\n                Access Should Be More Proactive\nFEMA-IT-11-35   Traverse Configuration Management Plan Weaknesses            Configuration\n                                                                                                     2                           X\n                                                                             Management\nFEMA-IT-11-36   TRRP Configuration Management Plan Weaknesses                Configuration\n                                                                                                     2                           X\n                                                                             Management\nFEMA-IT-11-37   Documentation Supporting TRRP Test Libraries Does            Configuration\n                                                                                                     1             X\n                Not Reflect Current Environment                              Management\nFEMA-IT-11-38   Federal Insurance and Mitigation Administration (FIMA)\n                                                                             Configuration\n                Configuration Management Program has Not Been                                        2             X\n                                                                             Management\n                Developed\nFEMA-IT-11-39   Weaknesses Exist over Background Investigations for\n                                                                          Security Management        2                           X\n                Federal Employees and Contractors\nFEMA-IT-11-40   Weaknesses in the Management of Plans of Action &\n                Milestones (POA&Ms) for Audit Findings over FEMA          Security Management        3                           X\n                Financial Systems\nFEMA-IT-11-41   Physical Security and Security Awareness Issues\n                                                                            Access Controls          2                           X\n                Associated with Enhanced Security Testing at FEMA\nFEMA-IT-11-42   Traverse Accounts Were Not Appropriately Recertified        Access Controls          2             X\n\n\n\nInformation Technology Management Letter for the Federal Emergency Management Agency Component of the FY 2011 DHS Financial\n\n                                                         Statement Audit \n\n                                                             Page 23\n\n\x0c                                                                                                                            Appendix B\n                                                     Department of Homeland Security\n                                                 Federal Emergency Management Agency\n                                                 Information Technology Management Letter\n                                                            September 30, 2011\n\n                                                                                                2011 Severity                  Repeat\nFY 2011 NFR #                        NFR Title                           FISCAM Control Area       Rating       New Issue       Issue\nFEMA-IT-11-43   Lack of Adequate Configuration Management over               Configuration\n                                                                                                     2                           X\n                Network Devices Supporting Financial Systems                 Management\nFEMA-IT-11-44   Password, Patch, and Configuration Management\n                                                                             Configuration\n                Weaknesses Were Identified during the Vulnerability                                  3             X\n                                                                             Management\n                Assessment on IFMIS, NEMIS, and Key Support Servers\nFEMA-IT-11-45   Vulnerability Assessment Program for the NFIP LAN            Configuration\n                                                                                                     1                           X\n                Supporting Traverse was Inadequate                           Management\nFEMA-IT-11-46   Weaknesses Existed over the Configuration Patch\n                                                                             Configuration\n                Management Process for the NFIP LAN Supporting                                       1                           X\n                                                                             Management\n                Traverse\nFEMA-IT-11-47   Weaknesses Exist over the Configuration and Testing of\n                Backups for Servers Supporting Financial Applications    Contingency Planning        3                           X\n                Within the Previous NEMIS Accreditation Boundary\nFEMA-IT-11-48   Key Controls over Production Servers Supporting\n                                                                             Configuration\n                Applications Within the Former NEMIS Accreditation                                   3                           X\n                                                                             Management\n                Boundary Have Not Been Implemented\n\n\n\n\nInformation Technology Management Letter for the Federal Emergency Management Agency Component of the FY 2011 DHS Financial\n\n                                                         Statement Audit \n\n                                                             Page 24\n\n\x0c                                                                           Appendix C\n\n                          Department of Homeland Security\n\n                      Federal Emergency Management Agency\n\n                      Information Technology Management Letter\n\n                                 September 30, 2010\n\n\n\n\n                                  Appendix C\n\n\nStatus of Prior Year Notices of Findings and Recommendations and \n\n       Comparison to Current Year Notices of Findings and \n\n                  Recommendations at the FEMA\n\n\n\n\n\nInformation Technology Management Letter for the Federal Emergency Management Agency\n\n                 Component of the FY 2011 DHS Financial Statement Audit\n\n                                        Page 25\n\n\x0c                                                                                                  Appendix C\n                                 Department of Homeland Security\n                             Federal Emergency Management Agency\n                             Information Technology Management Letter\n                                        September 30, 2010\n\n                                                                                             Disposition\n   NFR #                                    Description                             Closed           Repeat\nFEMA-IT-10-01   Recertification of National Emergency Management Information\n                System (NEMIS) Access Control System Position Assignments is                    FEMA-IT-11-11\n                Incomplete\nFEMA-IT-10-02   Alternate Processing Site for NEMIS Has Not Been Established                    FEMA-IT-11-01\nFEMA-IT-10-03   End-User Workstation Screensaver Configuration is Not Sufficient      X\nFEMA-IT-10-04   Operating System Audit Logging on Servers Supporting Financial\n                Applications within the Previous NEMIS Accreditation Boundary                   FEMA-IT-11-09\n                is Not Adequate\nFEMA-IT-10-05   Payment and Reporting System (PARS) Database Security\n                                                                                                FEMA-IT-11-26\n                Controls Are Not Appropriately Established\nFEMA-IT-10-06   Oracle Databases Supporting Financial Applications within the\n                Previous NEMIS Accreditation Boundary are Not Configured to                     FEMA-IT-11-07\n                Enforce Password Requirements\nFEMA-IT-10-07    Integrated Financial Management Information System (IFMIS)\xc2\xad\n                Merged Oracle Database is Not Configured to Prevent the Reuse of      X\n                Passwords\nFEMA-IT-10-08   Oracle Databases Supporting Financial Applications within the\n                Previous NEMIS Accreditation Boundary Do Not Adequately                         FEMA-IT-11-08\n                Enforce Account Lockout Requirements\nFEMA-IT-10-09   Audit Logging on Databases Supporting Financial Applications\n                within the Previous NEMIS Accreditation Boundary is Not                         FEMA-IT-11-12\n                Adequate\nFEMA-IT-10-10   Inadequate FEMA Contractor Tracking Program                           X\nFEMA-IT-10-11   Weaknesses Exist over IFMIS-Merger Application and Database\n                                                                                                FEMA-IT-11-24\n                Audit Logging\nFEMA-IT-10-12   Grants & Training (G&T) IFMIS Access Authorizations Were Not\n                                                                                      X\n                Consistently Documented\nFEMA-IT-10-13   G&T IFMIS Oracle Database Auditing Was Not Sufficient                 X\nFEMA-IT-10-14   Weaknesses Exist over Recertification of Access to the IFMIS-\n                                                                                                FEMA-IT-11-21\n                Merger Application\nFEMA-IT-10-15   Recertification of G&T IFMIS Application and Database Access\n                                                                                      X\n                Recertification Was Not Performed\nFEMA-IT-10-16   G&T IFMIS Was Not Certified and Accredited                            X\nFEMA-IT-10-17   Formalized Training Requirements for Individuals with Significant\n                Information Security Responsibilities Have Not Been Fully\n                                                                                                FEMA-IT-11-05\n                Implemented and Role-Based Training is Not Tracked or\n                Monitored\nFEMA-IT-10-18   Weaknesses Exist over the Authorization to Operate (ATO) and\n                                                                                                FEMA-IT-11-03\n                Certification & Accreditation (C&A) Documentation for NEMIS\nFEMA-IT-10-19   Lack of Adequate Configuration Management over Network\n                                                                                                FEMA-IT-11-43\n                Devices Supporting Financial Systems\nFEMA-IT-10-20   NEMIS Contingency Plan Does Not Comprehensively Address the\n                                                                                                FEMA-IT-11-04\n                Requirements of DHS Policy and Has Not Been Adequately Tested\nFEMA-IT-10-21   Employee Termination Process for Removing System Access\n                                                                                                FEMA-IT-11-34\n                Should Be More Proactive\n\n\n\n  Information Technology Management Letter for the Federal Emergency Management Agency\n\n                   Component of the FY 2011 DHS Financial Statement Audit\n\n                                          Page 26\n\n\x0c                                                                                                  Appendix C\n                                 Department of Homeland Security\n                             Federal Emergency Management Agency\n                             Information Technology Management Letter\n                                        September 30, 2010\n\n                                                                                             Disposition\n   NFR #                                    Description                             Closed           Repeat\nFEMA-IT-10-22   Weaknesses Exist over Management and Technical Controls\n                                                                                                FEMA-IT-11-33\n                Associated with FEMA Local Area Network (LAN) Accounts\nFEMA-IT-10-23   Weaknesses Existed over the Configuration Patch Management\n                Process for the National Flood Insurance Program (NFIP) LAN                     FEMA-IT-11-46\n                Supporting Traverse\nFEMA-IT-10-24   Risk Assessment Activities over NFIP IT Systems were Not\n                                                                                                FEMA-IT-11-32\n                Adequately Performed\nFEMA-IT-10-25   Individual User Virtual Private Network (VPN) Access Accounts\n                                                                                                FEMA-IT-11-28\n                are Not Appropriately Authorized or Recertified\nFEMA-IT-10-26   IFMIS-Merger User Access was Not Managed in Accordance with\n                                                                                                FEMA-IT-11-25\n                Account Management Procedures\nFEMA-IT-10-27   G&T IFMIS Oracle Database Security Controls Were Not\n                                                                                      X\n                Configured Properly\nFEMA-IT-10-28   Weaknesses Exist in the C&A Package for the FEMA Switched\n                                                                                                FEMA-IT-11-02\n                Network (FSN)-2, which Includes the FEMA LAN\nFEMA-IT-10-29   The PARS Has Not Been Certified and Accredited                        X\nFEMA-IT-10-30   Emergency and Temporary Access to IFMIS-Merger is Not\n                                                                                                FEMA-IT-11-23\n                Properly Authorized\nFEMA-IT-10-31   Weaknesses Exist in FEMA\xe2\x80\x99s Incident Response Capability               X\nFEMA-IT-10-32   G&T IFMIS and IFMIS-Merger Patch Management Weaknesses                X\nFEMA-IT-10-33   Weaknesses Exist over Vulnerability Management for Servers\n                Supporting Financial Applications within the Previous NEMIS                     FEMA-IT-11-13\n                Accreditation Boundary\nFEMA-IT-10-34   Weaknesses Exist over Vulnerability Management for G&T IFMIS\n                                                                                      X\n                and IFMIS-Merger\nFEMA-IT-10-35   Weaknesses Exist over NEMIS Patch Management Guidance                 X\nFEMA-IT-10-36   Weaknesses Exist over the Configuration and Testing of Backups\n                for Servers Supporting Financial Applications Within the Previous               FEMA-IT-11-47\n                NEMIS Accreditation Boundary\nFEMA-IT-10-37   Security Awareness Issues Associated with Social Engineering\n                                                                                      X\n                Testing at FEMA\nFEMA-IT-10-38   Physical Security and Security Awareness Issues Associated with\n                                                                                                FEMA-IT-11-41\n                Enhanced Security Testing at FEMA\nFEMA-IT-10-39   Monitoring of Configuration Changes Deployed to the IFMIS-\n                                                                                                FEMA-IT-11-18\n                Merger Production Environment are Inadequate\nFEMA-IT-10-40   System Programmers Had the Ability to Migrate Code into the\n                                                                                      X\n                G&T IFMIS Production Environment\nFEMA-IT-10-41   Password, Patch, and Configuration Management Weaknesses\n                Were Identified during the Vulnerability Assessment on IFMIS,         X\n                NEMIS, and Key Support Servers\nFEMA-IT-10-42   Weaknesses Exist over C&A Documentation for IFMIS-Merger                        FEMA-IT-11-31\nFEMA-IT-10-43   Weaknesses Exist over the ATO and C&A Documentation for\n                                                                                                FEMA-IT-11-03\n                NEMIS\nFEMA-IT-10-44   IFMIS-Merger System Software Administrator Activity Is Not\n                                                                                                FEMA-IT-11-30\n                Appropriately Restricted or Monitored\n\n\n\n  Information Technology Management Letter for the Federal Emergency Management Agency\n\n                   Component of the FY 2011 DHS Financial Statement Audit\n\n                                          Page 27\n\n\x0c                                                                                                 Appendix C\n                                Department of Homeland Security\n                            Federal Emergency Management Agency\n                            Information Technology Management Letter\n                                       September 30, 2010\n\n                                                                                            Disposition\n   NFR #                                   Description                             Closed           Repeat\nFEMA-IT-10-45   Weaknesses Exist over Background Investigations for Federal\n                                                                                               FEMA-IT-11-39\n                Employees and Contractors\nFEMA-IT-10-46   Key Controls over Production Servers Supporting Applications\n                Within the Former NEMIS Accreditation Boundary Have Not Been                   FEMA-IT-11-48\n                Implemented\nFEMA-IT-10-47   FEMA Management Needs to Improve Planning, Management,\n                and Communication Related to Financial Systems Development           X\n                and Acquisition Projects\nFEMA-IT-10-48   Weaknesses in the Management of Plans of Action & Milestones\n                                                                                               FEMA-IT-11-40\n                (POA&Ms) for Audit Findings over FEMA Financial Systems\nFEMA-IT-10-49   Documentation Supporting IFMIS-Merger User Functions Does\n                                                                                               FEMA-IT-11-06\n                Not Exist\nFEMA-IT-10-50   External Connections to the FEMA VPN Are Not Appropriately\n                                                                                               FEMA-IT-11-29\n                Authorized or Documented\nFEMA-IT-10-51   NEMIS Access Restrictions to Program Directories within the Test\n                                                                                     X\n                and Development Laboratory (TDL) Needs Improvement\nFEMA-IT-10-52   Vulnerability Assessment Program for the NFIP LAN Supporting\n                                                                                               FEMA-IT-11-45\n                Traverse was Inadequate\nFEMA-IT-10-53   Transaction Record Reporting and Processing (TRRP) Mainframe\n                                                                                     X\n                Access Accounts Are Not Periodically Reviewed\nFEMA-IT-10-54   Inadequate Implementation of DHS Systems Engineering Life\n                                                                                     X\n                Cycle (SELC) Requirements for the IFMIS-Merger Project\nFEMA-IT-10-55   NFIP LAN Audit Logging is Not Performed in Accordance with\n                                                                                               FEMA-IT-11-27\n                DHS and FEMA Requirements\nFEMA-IT-10-56   Weaknesses Exist over TRRP Mainframe Audit Logs                                FEMA-IT-11-22\nFEMA-IT-10-57   Lack of Formal Processes for Managing Remote Access to the\n                                                                                     X\n                LAN Supporting the TRRP Mainframe\nFEMA-IT-10-58   Traverse Configuration Management Plan Weaknesses                              FEMA-IT-11-35\nFEMA-IT-10-59   TRRP Configuration Management Plan Weaknesses                                  FEMA-IT-11-36\nFEMA-IT-10-60   Weaknesses Exist over the Implementation of Traverse System\n                                                                                     X\n                Changes\nFEMA-IT-10-61   Weaknesses Existed over Contingency Planning, Testing and\n                Development of the Continuity of Operations Plan (COOP) for                    FEMA-IT-11-10\n                TRRP and Traverse\nFEMA-IT-10-62   Weaknesses Exist over Configuration Management Processes for\n                Financial Applications within the previous NEMIS Accreditation                 FEMA-IT-11-19\n                Boundary\nFEMA-IT-10-63   Weaknesses Exist over IFMIS-Merger Configuration Management\n                                                                                               FEMA-IT-11-20\n                Processes\n\n\n\n\n  Information Technology Management Letter for the Federal Emergency Management Agency\n\n                   Component of the FY 2011 DHS Financial Statement Audit\n\n                                          Page 28\n\n\x0c                                                                             Appendix D\n\n                          Department of Homeland Security\n\n                      Federal Emergency Management Agency\n\n                      Information Technology Management Letter\n\n                                 September 30, 2011\n\n\n\n                 Report Distribution\n\n                 Department of Homeland Security\n\n                 Secretary\n                 Deputy Secretary\n                 General Counsel\n                 Chief of Staff\n                 Deputy Chief of Staff\n                 Executive Secretariat\n                 Under Secretary, Management\n                 Administrator, FEMA\n                 DHS Chief Information Officer\n                 DHS Chief Financial Officer\n                 Chief Financial Officer, FEMA\n                 Chief Information Officer, FEMA\n                 Chief Information Security Officer\n                 Assistant Secretary for Policy\n                 Assistant Secretary for Public Affairs\n                 Assistant Secretary for Legislative Affairs\n                 DHS GAO OIG Audit Liaison\n                 Chief Information Officer, Audit Liaison\n                 FEMA Audit Liaison\n\n                 Office of Management and Budget\n\n                 Chief, Homeland Security Branch\n                 DHS OIG Budget Examiner\n\n                 Congress\n\n                 Congressional Oversight and Appropriations Committees, as\n                 appropriate\n\n\n\n\nInformation Technology Management Letter for the Federal Emergency Management Agency\n\n                 Component of the FY 2011 DHS Financial Statement Audit\n\n                                        Page 29\n\n\x0cADDITIONAL INFORMATION AND COPIES\n\nTo obtain additional copies of this report, please call the Office of Inspector General\n(OIG) at (202)254-4100, fax your request to (202)254-4305, or e-mail your request to\nour OIG Office of Public Affairs at DHS-OIG.OfficePublicAffairs@dhs.gov. For\nadditional information, visit our OIG website at www.oig.dhs.gov or follow us on Twitter\n@dhsoig.\n\nOIG HOTLINE\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind of criminal\nor noncriminal misconduct relative to Department of Homeland Security programs and\noperations:\n\n\xe2\x80\xa2 Call our Hotline at 1-800-323-8603\n\n\xe2\x80\xa2 Fax the complaint directly to us at (202)254-4292\n\n\xe2\x80\xa2 E-mail us at DHSOIGHOTLINE@dhs.gov; or\n\n\xe2\x80\xa2 Write to us at:\n        DHS Office of Inspector General/MAIL STOP 2600,\n        Attention: Office of Investigation - Hotline,\n        245 Murray Drive SW, Building 410\n        Washington, DC 20528\n\nThe OIG seeks to protect the identity of each writer and caller.\n\x0c'